---
title: Microsoft (Client Credentials)
sidebarTitle: Microsoft (Client Credentials)
---

import Overview from "/snippets/overview.mdx"
import PreBuiltTooling from "/snippets/generated/microsoft-oauth2-cc/PreBuiltTooling.mdx"
import PreBuiltUseCases from "/snippets/generated/microsoft-oauth2-cc/PreBuiltUseCases.mdx"


<Overview />
<PreBuiltTooling />
<PreBuiltUseCases />

## Access requirements
| Pre-Requisites | Status | Comment|
| - | - | - |
| Paid dev account | ✅ Not required | Free, self-signup for a [Microsoft account](https://account.microsoft.com/account) and [Azure account](https://azure.microsoft.com/free). |
| Paid test account | ✅ Not required | Free Microsoft account can be used for testing. |
| Partnership | ✅ Not required | |
| App review | ⚠️ Conditional | Required only if you want to publish your app to the Microsoft commercial marketplace or if your app needs admin consent for certain permissions. |
| Security audit | ✅ Not required | |

## Setup guide

_No setup guide yet._

<Tip>Need help getting started? Get help in the [community](https://nango.dev/slack).</Tip>

## Useful links

| Topic | Links | 
| - | - | 
| General | [Microsoft Entra Admin Center](https://entra.microsoft.com) |
| | [Azure Portal](https://portal.azure.com) |
| | [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) |
| Developer | [Microsoft identity platform documentation](https://learn.microsoft.com/en-us/entra/identity-platform/) |
| | [Microsoft Graph API Overview](https://learn.microsoft.com/en-us/graph/overview) |
| | [How to register an Application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) |
| | [OAuth 2.0 Client Credentials Flow](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow) |
| | [Microsoft Graph Permissions Reference](https://learn.microsoft.com/en-us/graph/permissions-reference) |
| | [Microsoft Authentication Libraries (MSAL)](https://learn.microsoft.com/en-us/entra/identity-platform/msal-overview) |
| | [Microsoft Graph API Reference](https://learn.microsoft.com/en-us/graph/api/overview) |
| | [Microsoft Graph Throttling Guidance](https://learn.microsoft.com/en-us/graph/throttling) |

<Note>Contribute useful links by [editing this page](https://github.com/nangohq/nango/tree/master/docs/integrations/all/microsoft-tenant-specific.mdx)</Note>

## Common Permissions

| Permission                     | Description                                                               |
| ------------------------ | ------------------------------------------------------------------------- |
| Application.ReadWrite.All | Full control of app registrations                                         |
| User.Read.All             | Read all user profiles (no user sign-in required)                         |
| Mail.Read                 | Read mail in all mailboxes (organization-wide)                            |
| Calendars.ReadWrite       | Read and write calendars across the organization                          |
| Files.Read.All            | Read all files the app has access to in the organization                  |
| Directory.Read.All        | Read Azure AD data, including users, groups, and devices                  |
| Sites.Read.All            | Read SharePoint and OneDrive content across the organization              |


## API gotchas
-   Microsoft has a unified OAuth system for their various APIs. This provider should work for most of them (e.g. Microsoft EntraID, OneNote, Onedrive, Outlook, Sharepoint Online, Microsoft Teams etc.).
-   You can find permissions required for each API call in their corresponding API methods section, i.e, to retrieve a list of notebook objects from Onenote, you can have a look at [List Notebooks permissions](https://learn.microsoft.com/en-us/graph/api/onenote-list-notebooks?view=graph-rest-1.0&tabs=http#permissions).
-   See particularly the `tenantId` parameter under [Get a token](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#get-a-token).
-   Microsoft offers a tool that allows you to construct and perform Graph API queries and see their response for any apps on which you have an admin, developer, or tester role. For more information you can check [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer).
-   Please be aware that the Microsoft Graph API implements throttling to manage the volume of requests. For more information on handling throttling, refer to the [Microsoft Graph Throttling Guidance](https://learn.microsoft.com/en-us/graph/throttling).
-   Microsoft Graph API has different versions (v1.0 and beta). The v1.0 endpoint is for production use, while the beta endpoint contains features that are still in preview.
-   When requesting **Application Permissions** that require admin consent, an Microsoft Entra ID administrator must pre-authorize the permissions. Without admin consent, the app cannot obtain tokens for those scopes.
-   For multitenant applications, each tenant administrator must grant consent to the app’s required permissions before access is granted in their tenant.
-  The [.default scope](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#default-when-the-user-gives-consent) is a special scope that tells Azure AD to issue a token containing all the **Application Permissions** that have already been granted (consented) for your app on that resource. Using `.default` ensures your app receives permissions consistent with those configured and consented at the tenant or organization level.
-   The `.default` scope can't be combined with the scopes registered in the Azure portal. So either just use the `.default` scope or remove it to list out explicit parameters that are required. If you attempt to combine them you'll receive the following error
```
.default scope can't be combined with resource-specific scopes
```
-   Since **Microsoft (Client Credentials)** does not involve a user, a Microsoft Entra ID administrator must grant consent to the required **Application Permissions** in advance. This can be done through the [Azure Portal](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal) or by using the [admin consent endpoint](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=ms-graph).
<Note>Contribute API gotchas by [editing this page](https://github.com/nangohq/nango/tree/master/docs/integrations/all/microsoft-oauth2-cc.mdx)</Note>

<Card title="Connect to Microsoft (Client Credentials)" icon="link" href="/integrations/all/microsoft-oauth2-cc/connect" horizontal>
  Guide to connect to Microsoft (Client Credentials) API using Nango Connect.
</Card>